The fast moving world of Internet time has left the federal government behind when it comes to protecting your private information.
That was the central conclusion of a report issued this week by watchdogs at the Government Accountability Office which said that ensuring the privacy and security of personal information collected by the federal government remains a challenge, particularly in light of the increasing dependence on networked information systems that can store, process and transfer vast amounts of data. For example, GAO has many challenges arise in protecting the privacy of personal information by agencies ' use of Web 2.0 and data-mining technologies.
From the GAO: "These challenges include updating federal laws and guidance to reflect current practices for collecting and using information while striking an appropriate balance between privacy concerns and the government's need to collect information from individuals. They also involve implementing sound practices for securing and applying privacy protection principles to federal systems and the information they contain. Without sufficient attention to these matters, Americans' personally identifiable information remains at risk."
It's not like the feds haven't tried to protect personal information. The Privacy Act of 1974 and the Privacy Act and the E-Government Act of 2002 both have provisions to protect personal data gathered by the government but time has passed both of their protections by, the GAO found.
GAO identified privacy issues in three major areas:
- Applying privacy protections consistently to all federal collection and use of personal information. The Privacy Act's protections only apply to personal information when it is considered part of a "system of records" as defined by the act. However, agencies routinely access such information in ways that may not fall under this definition.
- Ensuring that use of personally identifiable information is limited to a stated purpose. Current law and guidance impose only modest requirements for describing the purposes for collecting personal information and how it will be used. This could allow for unnecessarily broad ranges of uses of the information.
- Establishing effective mechanisms for informing the public about privacy protections. Agencies are required to provide notices in the Federal Register of information collected, categories of individuals about whom information is collected, and the intended use of the information, among other things. However, concerns have been raised whether this is an effective mechanism for informing the public.
In the end the GAO recommended two big steps the federal agencies should take:
- Ensure the implementation of a robust information security program as required by FISMA. Such a program includes periodic risk assessments; security awareness training; security policies, procedures, and practices, as well as tests of their effectiveness; and procedures for addressing deficiencies and for detecting, reporting, and responding to security incidents.
- Data breaches could be prevented by limiting the collection of personal information, limiting the time such data are retained, limiting access to personal information and training personnel accordingly, and considering the use of technological controls such as encryption when data need to be stored on mobile devices.
The GAO report says it and agency inspectors general have continued to report on vulnerabilities in security controls over agency systems and weaknesses in their information security programs, potentially resulting in the compromise of personal information. Federal agencies reported 13,017 such incidents in 2010 and 15,560 in 2011, an increase of 19%.
Layer 8 Extra
Check out these other hot stories: